PyTorch Namespace (Dependency) Confusion Attack

The holiday season has had a rough go over the past few years when it comes to supply chain incidents. 2021 famously saw the publishing of Log4Shell, and in 2022 a new incident affected a popular machine learning framework called PyTorch.

First reported by BleepingComputer and disclosed by PyTorch themselves, this attack works using a supply chain attack tactic known as namespace or dependency confusion. We have previously elaborated on this type of attack, and have reported it as being one of the fastest growing forms of supply chain attacks in our recent State of the Software Supply Chain report.

Who is affected?

As per the PyTorch disclosure, this attack targeted users of the PyTorch-nightly build as opposed to the regular releases. Users of the stable release are not affected. The nightly build downloads its dependent packages from a private Python registry, as opposed to the official PyPI package index from which the official releases get their dependencies.

Sponsorships Available

Sponsorships Available

Sponsorships Available

How does it work?

One dependency used in the nightly build is a package called torchtriton. The attackers went on the official pypi.org registry and registered the package name there with a high version number. Many open source registries do not have namespace protection, meaning that anyone can register any package name for themselves.

During the dependency resolution with Python, pypi.org registries generally take precedence over private or alternative registries, which is what the attacker used to their advantage.

Once the malicious package is fetched by the package manager, it executes a preinstall script without user interaction. The malicious payload then reads various files, including SSH keys, the contents of up to 1000 files in the $HOME directory as well as exfiltrating a whole host of other information about the system back to a command and control (Read more...)